Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA

Needing only six seconds per attempt, and with a success rate of 10-15 percent …

Internet users are quite familiar with the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), a quick method that verifies whether or not the user trying to sign up is a person or a bot. A picture with swirled, mangled, or otherwise distorted characters is displayed and the user then types in the correct letters or numbers. Thus far, the system has worked well to slow down malicious bots, but recently the groups behind such software have made significant strides. A security firm is now reporting that the CAPTCHA used for Windows Live Mail can now be cracked in as little as 60 seconds.

Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A few weeks later, Gmail's version followed suit. In just over a month's time, some anti-spam vendors were forced to completely block the domain for the popular service as bots signed up for thousands of bogus accounts and began to flood the tubes with e-mail advertisements for lottery tickets and watches. The close proximity of the two cracks has done everything but sealed CAPTCHA's fate.

To make matters worse, Websense Security Labs is now reporting that the method for getting around Windows Live Mail's CAPTCHA has been improved to the point that a bot can decipher the text and make a guess in less than six seconds, on average. Windows Live Hotmail's Anti-CAPTCHA automatic bot, which hooks itself into Internet Explorer on a victim's machine, has a success rate of about 10-15 percent. That means that it takes up to one minute for a single bot to create a new account.

Windows Live Hotmail's CAPTCHA

In one day, the bot can amass at least 1,440 accounts. And that's just one bot. This same bot can then send spam to multiple e-mail addresses (using both CC and BCC lists) continuously, switching between accounts (both in the from: and to: fields) in order to lower the chance of being spotted.

Spammers love getting their hands on live.com and hotmail.com addresses since the chance of such popular domain names being blacklisted are slim to none. Because of how large the Windows Live account system is, in terms of both users and the wide array of services the account is tied to, anti-spam vendors should not be the only ones worried. However, the problem for Microsoft is much bigger than simply tracking down the spamming accounts.

Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. Using better images and improving CAPTCHA will simply prolong the arms race. Spammers will make the proper adjustments to their bots, then make them even faster. Hopefully a workable solution can be found that doesn't make onerous demands on the sincere user. Finding, testing, and implementing a CAPTCHA alternative will of course take time, and while we wait, the spam just comes flooding in.